Abstract

In distributed systems, the access control mechanism is often
modeled after stand-alone solutions, such as ACLs. Such
arrangement, however, is not ideal as the system may be mirrored
around the world and maintaining the ACLs becomes a problem. A
new approach to this problem is using authorisation certificates
to control access to resources. This diminishes management
overhead, but introduces problems with revocation.

A related problem is enforcing quotas in distributed systems.
Traditionally, authorisation certificates just limit the usage
interval, but not the volume. In this paper, we discuss these
problems in SPKI based delegation systems and propose some
refinements to the SPKI specification. In particular, we address
the problem of limiting the usage of resources to which a
certificate grants access. Finally, we develop a protocol for
solving these problems using online revocation and validation.